b'                Additional Actions Are Needed to Establish\n                  and Maintain Controls Over Computer\n                     Hardware and Software Changes\n\n                                  December 2003\n\n                       Reference Number: 2004-20-026\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                               DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                    December 16, 2003\n\n\n       MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n       FROM:                          Gordon C. Milbourn III\n                                      Acting Deputy Inspector General for Audit\n\n       SUBJECT:                      Final Audit Report \xe2\x80\x93 Additional Actions Are Needed to Establish\n                                     and Maintain Controls Over Computer Hardware and Software\n                                     Changes (Audit # 200320015)\n\n       This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n       configuration management (CM) process for computer hardware and software.1 The\n       overall objective of this review was to determine whether the IRS\xe2\x80\x99 Modernization and\n       Information Technology Services (MITS) organization effectively implemented an\n       enterprise-wide CM process.\n       The IRS is dependent on a large collection of computer systems with complex\n       interdependencies among a network of mainframe computers, mid-range computers,\n       individual computers, several hundred vendor-supplied software products, and millions\n       of lines of computer code. The MITS organization is currently modernizing,2\n       consolidating, and maintaining these computer systems to support the mission of the\n       IRS. Responsibility for managing these computer systems is divided among the MITS\n       organizations as follows:\n       \xe2\x80\xa2   The Information Technology Services (ITS) organization develops, operates, and\n           maintains computer hardware and software that supports the production\n           environment.\n       \xe2\x80\xa2   The Business Systems Modernization Office (BSMO) acquires and delivers new\n           computer hardware and software for the IRS\xe2\x80\x99 modernized business processes.\n\n       1\n         CM is a discipline that applies technical and administrative direction and surveillance to identify and document the\n       functional and physical characteristics of a piece of hardware or software, control changes to those characteristics\n       and their related documentation, record and report change processing and implementation status, and verify\n       compliance with specified requirements.\n       2\n         The Business Systems Modernization program is modernizing the IRS\xe2\x80\x99 business processes and computer\n       technology.\n\x0c                                                         2\n\nAmong the disciplines needed to manage and coordinate these efforts is an integrated\nCM process to ensure that the integrity and consistency of the IRS\xe2\x80\x99 computer systems\nare maintained throughout their life cycles. The CM process systematically identifies\nand baselines3 the items that make up a system (identification), formally controls any\nmodifications to those items (control), reports on the status of the CM process (status\naccounting), and ensures that baseline configurations are implemented (audit).4\nIn summary, the MITS organization has made progress in defining and establishing an\nenterprise-wide CM process through the issuance of a CM Directive that describes the\nCM process to be used throughout the MITS organization, and standard operating\nprocedures (e.g., configuration control boards, configuration items and baselines, and\nconfiguration control). The MITS organization has chartered a Configuration\nManagement Working Group to establish, maintain, and improve the CM process.\nHowever, the CM functions (i.e., identification, control, status accounting, and audit)\nhave not been uniformly implemented within the MITS organization. An integrated,\nenterprise-wide implementation of the CM process within the MITS organization is\nparticularly important for modernized systems that will migrate in stages or releases5 to\nensure computer system changes are properly managed throughout their life cycles. In\naddition, this process provides a means to document, communicate, and coordinate\nsystem development and production CM baselines between the BSMO and the ITS\norganizations. For example, as a result of CM control weaknesses, the Enterprise\nSystems Management (ESM) project incurred additional contractor costs of\napproximately $216,500 and a 4-month schedule delay to rollout ESM Release 2.1.\nWithout an integrated and uniform CM process, there is an increased potential that\nmodernized and existing systems will require extensive rework resulting in additional\ncosts, schedule delays, and other risks to the IRS\xe2\x80\x99 computer operations (e.g., system\noutages and data corruption).\nThe implementation deficiencies found in the MITS organization\xe2\x80\x99s CM processes\noccurred because the MITS CM Directive and procedures did not establish executive\nlevel responsibility that would ensure that:\n\xe2\x80\xa2   The CM processes were implemented throughout the ITS organization and\n    coordinated with the BSMO.\n\xe2\x80\xa2   Deficiencies identified in internal CM assessments were appropriately addressed.\n\n\n\n3\n  A baseline is a configuration identification document or set of such documents formally designated and fixed at a\nspecific time during the life cycle. Baselines, plus approved changes, constitute the current configuration.\n4\n  See Appendix V for a diagram of these four CM functions.\n5\n  The BSMO systems that are scheduled to migrate to the production environment during Fiscal Years 2003 \xe2\x80\x93 2005\nare the Enterprise Systems Management (ESM), Integrated Financial System (IFS), Modernized e-File, e-Services,\nCustodial Accounting Project (CAP), Human Resources (HR) Connect, Internet Employee Identification Number,\nInternet Refund/Fact of Filing Project, Security Audit and Analysis System, and Customer Account Data Engine\n(CADE). The following systems will be migrated in stages: ESM, IFS, Modernized e-File, e-Services, CAP,\nHR Connect, and CADE.\n\x0c                                                        3\n\n\xe2\x80\xa2     The different CM software6 used by the MITS organization facilitated\n      enterprise-wide CM.\n\xe2\x80\xa2     Policies were established defining authority levels and threshold criteria to approve\n      and control production changes in the ITS organization.\nTo promote the establishment of an integrated MITS organization CM process, we\nrecommended that the Chief Information Officer (CIO) modify the MITS CM Directive\nand procedures to: 1) assign responsibility for ensuring that MITS CM processes are\nimplemented throughout the ITS organization and coordinated with the BSMO and that\nCM deficiencies are appropriately addressed; and 2) establish governance policies,\nsimilar to those used by the BSMO,7 for defining the authority levels and threshold\ncriteria to approve and control changes to the production environment in the ITS\norganization. Additionally, we recommended that the CIO develop a transition plan to\nimplement standardized Enterprise Architecture compliant CM software to be used\nthroughout the MITS organization to facilitate CM on an enterprise-wide level.\nManagement\xe2\x80\x99s Response: IRS management agreed with our recommendations. The\nMITS organization will revalidate its CM Directive to address organizational\nresponsibility, governance policy, and needed improvements in the Configuration\nControl Board (CCB) structure. In addition, management will address the establishment\nof governance policies and threshold criteria to approve and control changes to the ITS\nproduction environment while establishing plans to organize separate CCBs for the ITS\nand BSMO organizations. Regarding CM software, the MITS organization will identify\nacceptable CM software and publish applicable guidance upon the completion of\nongoing CM software assessments within the ITS organization. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix VI.\nCopies of this report are also being sent to the IRS managers who are affected by the\nreport recommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\n\n\n\n6\n    Examples include Computer Associates Endevor, IBM Rational\xef\xa3\xa8 Suite, and in-house developed databases.\n7\n    BSM Authority Levels and Threshold Criteria Directive, dated September 6, 2002.\n\x0c                     Additional Actions Are Needed to Establish and Maintain\n                     Controls Over Computer Hardware and Software Changes\n\n\n\n\n                                                Table of Contents\n\n\nBackground ...............................................................................................Page 1\nProgress Has Been Made in Implementing Configuration Management\nProcesses..................................................................................................Page 2\nAdditional Actions Are Needed to Establish Integrated, Enterprise-Wide\nConfiguration Management Processes......................................................Page 4\n         Recommendations 1 and 2: ........................................................... Page 9\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology .......................Page 10\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................Page 12\nAppendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\nAppendix IV \xe2\x80\x93 Outcome Measures ............................................................Page 14\nAppendix V \xe2\x80\x93 Overview of Configuration Management Functions ............Page 15\nAppendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................Page 16\n\x0c             Additional Actions Are Needed to Establish and Maintain\n             Controls Over Computer Hardware and Software Changes\n\n                               The Internal Revenue Service (IRS) is dependent on a large\nBackground\n                               collection of computer systems with complex\n                               interdependencies among a network of mainframe\n                               computers, mid-range computers, individual computers,\n                               several hundred vendor-supplied software products, and\n                               millions of lines of computer code. The IRS\xe2\x80\x99\n                               Modernization and Information Technology Services\n                               (MITS) organization is currently modernizing,1\n                               consolidating, and maintaining these computer systems to\n                               support the IRS\xe2\x80\x99 mission. Responsibility for managing\n                               these computer systems is divided among the MITS\n                               organizations as follows:\n                               \xe2\x80\xa2   The Information Technology Services (ITS)\n                                   organization develops, operates, and maintains computer\n                                   hardware and software that supports computer systems\n                                   in production.\n                               \xe2\x80\xa2   The Business Systems Modernization Office (BSMO)\n                                   acquires and delivers new computer hardware and\n                                   software for the IRS\xe2\x80\x99 modernized business processes.\n                               An integrated, enterprise-wide configuration\n                               management (CM)2 process is essential for ensuring that the\n                               integrity and consistency of the IRS\xe2\x80\x99 computer systems are\n                               maintained throughout their life cycles. The purpose of CM\n                               is to systematically identify and baseline3 the items that\n                               make up a system (identification), formally control any\n                               modifications to those items (control), report on the status of\n\n\n\n\n                               1\n                                 The Business Systems Modernization program is modernizing the IRS\xe2\x80\x99\n                               business processes and computer technology.\n                               2\n                                 CM is a discipline that applies technical and administrative direction\n                               and surveillance to identify and document the functional and physical\n                               characteristics of a piece of hardware or software, control changes to\n                               those characteristics and their related documentation, record and report\n                               change processing and implementation status, and verify compliance\n                               with specified requirements.\n                               3\n                                 A baseline is a configuration identification document or set of such\n                               documents formally designated and fixed at a specific time during the\n                               life cycle. Baselines, plus approved changes, constitute the current\n                               configuration.\n                                                                                               Page 1\n\x0c                 Additional Actions Are Needed to Establish and Maintain\n                 Controls Over Computer Hardware and Software Changes\n\n                                   the CM process (status accounting), and ensure that baseline\n                                   configurations are implemented (audit).4\n                                   Both the Treasury Inspector General for Tax Administration\n                                   (TIGTA) and the General Accounting Office (GAO) have\n                                   issued reports5 on the IRS\xe2\x80\x99 Business Systems Modernization\n                                   efforts that commented on the MITS organization\xe2\x80\x99s CM\n                                   process. Our report focuses on the implementation of the\n                                   CM processes throughout the MITS organization and on\n                                   selected modernization projects that had migrated from the\n                                   BSMO to support and maintenance within the ITS\n                                   organization. Our audit work in the Office of Security\n                                   Services was limited due to the anticipated restructuring of\n                                   that office as part of the realignment of the IRS\xe2\x80\x99\n                                   management structure.6 Personnel from the Office of\n                                   Security Services indicated that they plan to place security\n                                   policy documentation under CM control; therefore, no\n                                   additional fieldwork was performed in that office.\n                                   Audit work was conducted in the MITS organization at the\n                                   IRS National Headquarters in New Carrollton, Maryland,\n                                   from May through September 2003. The audit was\n                                   conducted in accordance with Government Auditing\n                                   Standards. Detailed information on the audit objective,\n                                   scope, and methodology is presented in Appendix I. Major\n                                   contributors to the report are listed in Appendix II.\n                                   MITS organization management has recognized the need to\nProgress Has Been Made in\n                                   institutionalize an enterprise-wide CM process throughout\nImplementing Configuration\n                                   their organization and issued a CM directive in\nManagement Processes\n                                   August 2002 to support that need. Management has taken\n\n                                   4\n                                     See Appendix V for a diagram detailing the interrelationship of these\n                                   four CM functions.\n                                   5\n                                     TIGTA report, Modernization Project Teams Need to Follow Key\n                                   Systems Development Processes (Reference Number 2002-20-025,\n                                   dated November 2001), and GAO reports, Business Systems\n                                   Modernization: IRS Needs to Better Balance Management Capacity\n                                   with Systems Acquisition Workload (GAO/AIMD-02-356, dated\n                                   February 2002), and Business Systems Modernization: IRS Has Made\n                                   Significant Progress in Improving Its Management Controls, but Risks\n                                   Remain (GAO/AIMD-03-768, dated June 2003).\n                                   6\n                                     The IRS announced on May 22, 2003, through Press Release\n                                   Statement Number IR-2003-67, a realignment of the IRS\xe2\x80\x99 management\n                                   structure.\n                                                                                                   Page 2\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                  several specific actions to implement this directive as well\n                  as an enterprise-wide CM process. Specifically, the MITS\n                  organization has taken the following actions:\n                  \xe2\x80\xa2   Chartered a MITS Configuration Management Working\n                      Group (CMWG) to establish, maintain, and improve\n                      CM processes, procedures, and techniques to be used\n                      throughout the MITS organization.\n                  \xe2\x80\xa2   Issued various CM standard operating procedures\n                      (e.g., configuration control boards [CCB],7 configuration\n                      items [CI]8 and baselines, configuration control, and\n                      configuration management process compliance\n                      assessments).\n                  \xe2\x80\xa2   Conducted CM process compliance assessments of eight\n                      BSMO projects to evaluate whether CM policy and\n                      procedures were being followed.\n                  \xe2\x80\xa2   Chartered a MITS CCB as the authority for receiving,\n                      reviewing, and approving proposed system change\n                      requests and changes to system baselines that have a\n                      cost impact that exceeds the dollar threshold and\n                      authority levels established for lower level project\n                      CCBs. The MITS organization CCB is also intended to\n                      be the forum to resolve conflicts such as those resulting\n                      from request impact analysis and authority issues that\n                      occur at or among the subordinate CCBs for individual\n                      projects.\n                  \xe2\x80\xa2   Chartered project level CCBs within the BSMO, such as\n                      the Internet Refund/Fact of Filing (IRFOF) Project and\n                      the Infrastructure Modernization Project.\n                  \xe2\x80\xa2   Issued a directive9 that defined the BSMO\xe2\x80\x99s authority\n                      levels (e.g., for BSMO project level CCBs) and\n\n                  7\n                    A CCB is a group composed of project stakeholders, technical\n                  representatives, and CM representatives with the authority to review and\n                  dispose of requests for changes to configuration items within the board\xe2\x80\x99s\n                  statement of scope.\n                  8\n                    A configuration item is an aggregation of hardware, software, and\n                  documentation, which satisfies an end use function, is designated for\n                  CM control, and is treated as a single entity in the CM process.\n                  9\n                    BSM Authority Levels and Threshold Criteria Directive, dated\n                  September 6, 2002.\n                                                                                   Page 3\n\x0c                  Additional Actions Are Needed to Establish and Maintain\n                  Controls Over Computer Hardware and Software Changes\n\n                                         threshold criteria for changing BSMO project baselines\n                                         for schedule, cost, or requirements. For example, the\n                                         BSMO Infrastructure Modernization Project CCB has\n                                         the authority for approving proposed change requests\n                                         that affect infrastructure modernization projects with a\n                                         cost impact threshold of less than $500,000, and those\n                                         above this level would be forwarded to a higher level\n                                         CCB.\n                                    \xe2\x80\xa2    Chartered organizational level CCBs within ITS (e.g.,\n                                         for the Detroit, Martinsburg, and Tennessee Computing\n                                         Centers).\n                                    \xe2\x80\xa2    Established the Office of Configuration Management\n                                         (OCM) within the BSMO, whose chief, as chair of the\n                                         MITS CMWG, is responsible for establishing,\n                                         maintaining, and improving CM processes and\n                                         procedures throughout the MITS organization.\n                                    The ITS organization has an effort underway to align the\n                                    existing computing center CM processes with the Triplex\n                                    Strategy.10 Further, the BSMO has developed a CM training\n                                    plan, developed CM training courses, and held initial CM\n                                    classes for the MITS organization.\n                                    Our review identified that the MITS organization has made\n                                    progress in implementing a CM process; however, as\n                                    explained below, further actions are needed to establish and\n                                    integrate uniform CM implementation processes across the\n                                    MITS organization.\n                                    Treasury Directive 84-01, Information Systems Life Cycle\nAdditional Actions Are Needed to\n                                    Manual, dated March 2002, requires CM to be used\nEstablish Integrated,\n                                    throughout every project\xe2\x80\x99s life cycle. It also defines the four\nEnterprise-Wide Configuration\n                                    CM functions of identification, control, audit, and status\nManagement Processes\n                                    accounting. The IRS has incorporated these requirements\n                                    into its systems life cycle methodologies (Enterprise Life\n                                    Cycle [ELC] and ELC-Lite), the Enterprise\n                                    Architecture (EA), and the MITS organization CM\n                                    Directive and procedures. The MITS organization CM\n                                    Directive also cites the American National Standards\n\n                                    10\n                                      The Triplex Strategy is an effort to improve the three computing\n                                    centers\xe2\x80\x99 operations efficiency and effectiveness, including disaster\n                                    recovery capabilities.\n                                                                                                      Page 4\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                  Institute/Electronic Industries Alliance Standard 649,\n                  National Consensus Standard for Configuration\n                  Management, an industry CM best practice. Additionally,\n                  the Office of Management and Budget Circular A-123,\n                  Management Accountability and Control, dated July 1995,\n                  requires that the appropriate authority, responsibility, and\n                  accountability are defined and delegated to accomplish the\n                  implementation of the CM process and that an appropriate\n                  organizational structure is established to effectively carry\n                  out these CM responsibilities.\n                  However, the CM functions outlined in Treasury\n                  Directive 84-01 have not been uniformly implemented\n                  within the MITS organization. Specifically, the following\n                  areas could be improved for each of the four required CM\n                  functions:\n                       Identification: The IRS identified CIs for the current\n                       production environment that affected modernization\n                       project releases in 2002. However, not all ITS divisions\n                       have identified and baselined the CIs for their\n                       production systems. An OCM contractor was\n                       identifying the CIs; however, the effort was not\n                       completed because funding for the contractors was cut\n                       in February 2003. An effective CM process requires\n                       that CIs be identified. These items must be identified\n                       and controlled prior to establishing system baselines for\n                       production systems that will be affected by BSMO\n                       projects.\n                       Control: The BSMO has chartered project level CCBs\n                       to control changes to the BSMO project baselines and\n                       established threshold criteria for decision-making by the\n                       project and MITS CCBs, as well as Executive Steering\n                       Committees. However, the ITS organization has not\n                       chartered lower level CCBs, except for the Enterprise\n                       Operations Services\xe2\x80\x99 (EOS) Computing Center CCBs,\n                       which are change management11 rather than CM\n                       oriented. The EOS plans to establish a CM process as\n\n\n\n                  11\n                    Change management is the process of controlling changes to a system\n                  to ensure that only authorized changes are applied.\n                                                                                Page 5\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                       part of its Triplex initiative. An effective CM process\n                       requires a CCB to set and control baselines.\n                       Status Accounting and Audit: The BSMO is performing\n                       the CM status accounting and audit functions. The\n                       OCM performed CM compliance assessments of several\n                       BSMO projects and identified problems with at least one\n                       of these functions in each assessment. Although the\n                       BSMO project managers have the responsibility to\n                       correct project specific CM process issues, the OCM\n                       does not have the authority to ensure that the issues are\n                       corrected. Also, the ITS organization is not performing\n                       the status accounting and audit functions because it has\n                       not finished establishing the identification and control\n                       processes.\n                  Without an integrated, enterprise-wide CM process, the IRS\n                  cannot adequately assure that changes to its computer\n                  system configurations are properly managed throughout\n                  their life cycles. An integrated, enterprise-wide\n                  implementation of the CM process within the MITS\n                  organization is particularly important for modernized\n                  systems that will migrate in stages or releases12 to ensure\n                  computer system changes are properly managed throughout\n                  their life cycles. In addition, this process provides a means\n                  to document, communicate, and coordinate system\n                  development and production CM baselines between the\n                  BSMO and the ITS organizations.\n                  For example, the Enterprise Systems Management (ESM)\n                  project experienced schedule delays and incurred additional\n                  costs because it did not have an integrated, enterprise-wide\n                  CM process. For the ESM project, such a process is\n                  necessary since different organizations are responsible for\n\n\n                  12\n                    The BSMO systems that are scheduled to migrate to the production\n                  environment during Fiscal Years 2003 \xe2\x80\x93 2005 are the Enterprise\n                  Systems Management (ESM), Integrated Financial System (IFS),\n                  Modernized e-File, e-Services, Custodial Accounting Project (CAP),\n                  Human Resources (HR) Connect, Internet Employee Identification\n                  Number, IRFOF, Security Audit and Analysis System, and Customer\n                  Account Data Engine (CADE). The following systems will be migrated\n                  in stages: ESM, IFS, Modernized e-File, e-Services, CAP, HR Connect,\n                  and CADE.\n                                                                               Page 6\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                  developing and deploying ESM releases. Specifically, the\n                  ESM team from the IRS\xe2\x80\x99 PRIME Business Systems\n                  Modernization contractor (PRIME) is responsible for\n                  development, and the ITS\xe2\x80\x99 End-User Equipment and\n                  Services (EUES) organization is responsible for\n                  deployment.\n                  In February 2003, during the ESM Release 2.1 deployment,\n                  the EUES organization, with support from the PRIME,\n                  upgraded the ESM production environment. During this\n                  upgrade, changes were introduced to the production\n                  environment without adequate testing or adherence to\n                  CM processes. As a result of these CM weaknesses, a\n                  database server experienced serious, unexpected\n                  performance problems. Resolution of the performance\n                  problems delayed the implementation of ESM Release 2.1\n                  for 4 months and increased the PRIME contractor\xe2\x80\x99s cost by\n                  approximately $216,500 since this work fell outside the\n                  scope of the PRIME contractor\xe2\x80\x99s existing task orders.\n                  The ESM system is just one of several modernized systems\n                  that will be migrated in stages over the next several years.\n                  Between Fiscal Year (FY) 2003 and FY 2005, the IRS\n                  scheduled nine other modernized systems to migrate to the\n                  production environment. These modernized systems\n                  include new tax administration and financial management\n                  systems. These modernized systems not only have\n                  interdependencies with each other, but also with the existing\n                  IRS systems. Consequently, delays in one project can cause\n                  delays in others. For example, the delays in implementing\n                  ESM Release 2.1 delayed full management reporting\n                  functionality for the IRFOF system.\n                  Several factors contributed to the implementation\n                  deficiencies found in the MITS organization. First, the\n                  MITS organization CM Directive and procedures did not\n                  establish executive level responsibility that would ensure\n                  that the MITS organization CM processes are implemented\n                  throughout the ITS organization and coordinated with the\n                  BSMO, and that deficiencies identified in internal CM\n                  assessments are appropriately addressed. Second,\n                  governance policy has not been established for defining\n                  authority levels and threshold criteria to review, approve,\n\n                                                                        Page 7\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                  and control production changes in the ITS organization or\n                  for elevating change requests from the ITS organization to a\n                  higher-level CCB or committee for approval or coordination\n                  such as that found in the BSMO organization.\n                  In addition, some ITS organizations use different CM\n                  software that does not comply with the current EA and may\n                  not readily facilitate the coordination of system baseline\n                  information on an enterprise-wide CM level. The current\n                  revision of the IRS\xe2\x80\x99 EA, dated July 9, 2003, includes an\n                  Enterprise Standards Profile that identifies commercial\n                  off-the-shelf software products for use in various computer\n                  environments. However, prior EA versions and the MITS\n                  organization CM policies and procedures did not identify\n                  approved CM software for enterprise-wide use. As a result,\n                  some ITS organizations use CM software that does not\n                  comply with the current EA. The use of non-compliant\n                  software to automate the CM process places the ITS\n                  organizations at risk of not being able to effectively\n                  communicate and coordinate changes on the production\n                  environment with affected organizations and projects, such\n                  as BSMO projects that have production environment\n                  interdependencies. Since a variety of CM software is\n                  currently being used, a period of transition will be needed to\n                  review and establish the CM software to be used and\n                  integrated throughout the MITS organization.\n                  For example, a contributing cause for not adhering to CM\n                  processes for the ESM project was the use of different\n                  automated software to manage changes for the project. The\n                  BSMO and the PRIME use IBM\xe2\x80\x99s Rational\xef\xa3\xa8 software for\n                  configuration management, and the EUES organization uses\n                  IRS developed software to control change requests.\n                  Without an integrated and uniform CM process, there is an\n                  increased potential that modernized and existing systems\n                  will require extensive rework resulting in additional costs,\n                  schedule delays, and other risks to the IRS\xe2\x80\x99 computer\n                  operations (e.g., system outages and data corruption).\n\n\n\n\n                                                                         Page 8\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                  Recommendations\n\n                  To promote the establishment of an integrated MITS\n                  organization CM process, we recommend that the Chief\n                  Information Officer:\n                  1. Modify the MITS organization CM Directive and\n                     procedures to: a) assign organizational responsibility for\n                     ensuring that MITS organization CM processes are\n                     implemented throughout the ITS organization and\n                     coordinated with the BSMO and that CM deficiencies\n                     are appropriately addressed; and b) establish governance\n                     policies, similar to those used by the BSMO, for\n                     defining the authority levels and threshold criteria to\n                     approve and control changes to the production\n                     environment in the ITS organization.\n                  Management\xe2\x80\x99s Response: The MITS organization will\n                  revalidate its CM Directive to address organizational\n                  responsibility, governance policy, and needed improvements\n                  in the CCB structure. In addition, management will address\n                  the establishment of governance policies and threshold\n                  criteria to approve and control changes to the ITS\n                  production environment while establishing plans to organize\n                  separate CCBs for the ITS and BSMO organizations.\n                  2. Develop a transition plan to implement standardized\n                     EA-compliant CM software to be used throughout the\n                     MITS organization to facilitate CM on an enterprise-\n                     wide level.\n                  Management\xe2\x80\x99s Response: The MITS organization will\n                  identify acceptable CM software and publish applicable\n                  guidance upon the completion of ongoing CM software\n                  assessments within the ITS organization.\n\n\n\n\n                                                                        Page 9\n\x0c                    Additional Actions Are Needed to Establish and Maintain\n                    Controls Over Computer Hardware and Software Changes\n\n                                                                                                      Appendix I\n\n\n                           Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Modernization and\nInformation Technology Services (MITS) organization effectively implemented an\nenterprise-wide configuration management (CM) process.1\nAs part of this review, we interviewed personnel and reviewed CM documentation throughout\nthe MITS organizations of Business Systems Modernization Office (BSMO), Information\nTechnology Services (ITS), Business Planning and Assurance, and Security Services. Within the\nBSMO, we interviewed personnel from the Office of Configuration Management and Systems\nEngineering & Integration Division as well as the project teams for the Enterprise Systems\nManagement (ESM) and Internet Refund/Fact of Filing (IRFOF) projects. Within the ITS\norganization, we interviewed personnel from the Infrastructure Architecture and Engineering,\nBusiness Systems Development, Enterprise Operations Services, End User Equipment and\nServices, Enterprise Networks, and Web Services functions.\nThis audit assessed the CM processes throughout the MITS organization and selected projects\nthat migrated from acquisition by the BSMO to support and maintenance by the ITS\norganization. The ESM and IRFOF projects were judgmentally selected from the population of\nBSMO projects based on one project having been fully migrated and another being migrated in\nstages or releases to the production environment. The IRFOF Project was selected as a project\nthat had migrated from the BSMO environment to the production environment, which is operated\nand supported by the ITS organization. The ESM project was selected as a project that migrated\nin stages or releases since a release was already being supported in the ITS\xe2\x80\x99 production\nenvironment and future releases were being developed by the IRS\xe2\x80\x99 PRIME Business Systems\nModernization contractor that is overseen by the BSMO.\nTo accomplish the overall objective for this audit, we:\nI.     Identified applicable Federal Government standards and industry best practices that guide\n       the CM process. This included Department of the Treasury directives, Office of\n       Management and Budget circulars, and information technology standards organization\n       documents.\n\n\n1\n CM is a discipline that applies technical and administrative direction and surveillance to identify and document the\nfunctional and physical characteristics of a piece of hardware or software, control changes to those characteristics\nand their related documentation, record and report change processing and implementation status, and verify\ncompliance with specified requirements.\n\n\n\n\n                                                                                                            Page 10\n\x0c                 Additional Actions Are Needed to Establish and Maintain\n                 Controls Over Computer Hardware and Software Changes\n\nII.    Evaluated the ITS Executive and the BSMO Office of Configuration Management roles\n       and responsibilities for administering the enterprise-wide CM process.\nIII.   Evaluated the policies and procedures supporting the enterprise-wide CM process.\n\n\n\n\n                                                                                          Page 11\n\x0c               Additional Actions Are Needed to Establish and Maintain\n               Controls Over Computer Hardware and Software Changes\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary V. Hinkle, Director\nTheodore Grolimund, Audit Manager\nKevin Burke, Senior Auditor\nChristopher Funke, Senior Auditor\nFrank Greene, Senior Auditor\nMichael Howard, Senior Auditor\nTina Wong, Senior Auditor\nOlivia Jasper, Auditor\n\n\n\n\n                                                                                         Page 12\n\x0c              Additional Actions Are Needed to Establish and Maintain\n              Controls Over Computer Hardware and Software Changes\n\n                                                                         Appendix III\n\n\n                              Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Commissioner for Modernization OS:CIO:B\nChief, Information Technology Services OS:CIO:I\nChief, Mission Assurance OS:MA\nDirector, Business Systems Development OS:CIO:I:BSD\nActing Director, End User Equipment and Services OS:CIO:I:EU\nDirector, Enterprise Networks OS:CIO:I:EN\nDirector, Enterprise Operations OS:CIO:I:EO\nDirector, Infrastructure, Architecture and Engineering OS:CIO:I:IA\nDirector, Portfolio Management OS:CIO:R:PM\nDirector, Web Services OS:CIO:I:W\nManager, Enterprise Systems Management OS:CIO:I:EU:ESM\nManager, Office of Configuration Management OS:CIO:B:MP:CM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n        Associate Commissioner for Modernization OS:CIO:B\n        Chief, Information Technology Services OS:CIO:I\n        Chief, Mission Assurance OS:MA\n        Director, Business Systems Development OS:CIO:BSD\n        Director, End User Equipment and Services OS:CIO:I:EU\n        Director, Enterprise Networks OS:CIO:I:EN\n        Director, Enterprise Operations Services OS:CIO:I:EOS\n        Director, Infrastructure, Architecture and Engineering OS:CIO:I:IA\n        Director, Web Services OS:CIO:I:W\n        Program Manager, Program Oversight and Coordination OS:CIO:R:PM:PO\n\n\n\n\n                                                                              Page 13\n\x0c                    Additional Actions Are Needed to Establish and Maintain\n                    Controls Over Computer Hardware and Software Changes\n\n                                                                                                    Appendix IV\n\n\n                                            Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to the Congress.\nType and Value of Outcome Measure:\n    \xe2\x80\xa2    Inefficient use of resources \xe2\x80\x93 Actual; $216,500 (see page 4).\nMethodology Used to Measure the Reported Benefit:\nNot having an integrated, enterprise-wide Configuration Management (CM) process1 was\ndemonstrated by the schedule delays and increased costs of the Enterprise Systems\nManagement (ESM) project. The ESM Release 2.1 was developed by the Internal Revenue\nService\xe2\x80\x99s (IRS) PRIME Business Systems Modernization contractor (PRIME) and deployed by\nthe Information Technology Services\xe2\x80\x99 End-User Equipment and Services (EUES) organization.\nIn February 2003, during the ESM 2.1 deployment, the EUES organization, with support from\nthe PRIME, upgraded an ESM production environment.\nDuring this upgrade, changes were introduced to the production environment without adequate\ntesting or adherence to CM processes and, as a result, a database server experienced serious,\nunexpected performance problems. A contributing cause for not adhering to CM processes was\nthe use of different automated software to manage changes for the ESM project. The Business\nSystems Modernization Office and the PRIME use IBM\xe2\x80\x99s Rational\xef\xa3\xa8 software for configuration\nmanagement and the EUES organization uses IRS-developed software to control change\nrequests. Resolution of the performance problems delayed the implementation of ESM\nRelease 2.1 for 4 months and increased the PRIME contractor\xe2\x80\x99s cost by approximately $216,500\nsince this work fell outside the scope of their existing task orders. This cost was documented in\na notification of change letter to the PRIME contract, sent to the IRS on April 11, 2003.\n\n\n\n\n1\n CM is a discipline that applies technical and administrative direction and surveillance to identify and document the\nfunctional and physical characteristics of a piece of hardware or software, control changes to those characteristics\nand their related documentation, record and report change processing and implementation status, and verify\ncompliance with specified requirements.\n                                                                                                            Page 14\n\x0c                      Additional Actions Are Needed to Establish and Maintain\n                      Controls Over Computer Hardware and Software Changes\n\n                                                                                               Appendix V\n\n\n                           Overview of Configuration Management Functions\n    (Adapted From the Modernization and Information Technology Services (MITS) Configuration\n    Management Plan, Version 2.1, October 8, 2001)\n\n                                                       Identification\n                                                       \xe2\x80\xa2   Assign a unique designator to MITS products.\n                                                       \xe2\x80\xa2   Develop and maintain Application Group\n                                                           configuration management (CM) Logs.\n                                                       \xe2\x80\xa2   Develop and maintain a CM Master Log.\n                                                       \xe2\x80\xa2   Establish Configuration Item (CI) Index.\n                                                       \xe2\x80\xa2   Verify identification for CIs, technical\n                                                           documentation, and baselines.\n                                                       \xe2\x80\xa2   Assign a unique tracking number to Request for\n                                                           Information Services and Change Requests.\n\n\n\n\n                                                       Control\n                                                       \xe2\x80\xa2   Receive and place MITS CIs and technical\nConfiguration                                              documentation in Internal Revenue Service\nManagement                                                 repositories thereby providing physical control.\n                                                       \xe2\x80\xa2   Process requests for CIs and technical\n\xe2\x80\xa2     Identification.                                      documentation.\n\xe2\x80\xa2     Control.                                         \xe2\x80\xa2   Provide change request information.\n\xe2\x80\xa2     Status Accounting.                               \xe2\x80\xa2   Assure that no unauthorized changes to\n\xe2\x80\xa2     Reviews/Audits.                                      controlled products are made.\n                                                       \xe2\x80\xa2   Deliver product/system releases from controlled\n                                                           CIs and technical documentation including\n                                                           associated changes to authorized baselines,\n                                                           thus ensuring data integrity.\n\n\n\n\n                                                       Status Accounting\n                                                       \xe2\x80\xa2   Receive CIs and technical documentation for\n                                                           entry into the Configuration Status Accounting\n                                                           (CSA) System (i.e., data entry).\n                                                       \xe2\x80\xa2   Generate CSA reports including metrics and\n                                                           schedule information.\n\n\n\n                                                       Reviews/Audits\n                                                       \xe2\x80\xa2   Support and ensure that functional and physical\n                                                           configuration audits are conducted as required.\n                                                       \xe2\x80\xa2   Conduct internal CM Audits and Reviews.\n\n\n                                                                                                      Page 15\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n                                                          Appendix VI\n\n\n    Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                               Page 16\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n\n\n\n                                                          Page 17\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n\n\n\n                                                          Page 18\n\x0cAdditional Actions Are Needed to Establish and Maintain\nControls Over Computer Hardware and Software Changes\n\n\n\n\n                                                          Page 19\n\x0c'